Prior to last month's massive breach of federal employee records, the Office of Personnel Management's own inspector general repeatedly expressed concern over the agency's outdated security practices, according to a report.

According to "Handing Over the Keys to the Castle: OPM Demonstrated that Antiquated Security Practices Harm National Security," a report from the non-partisan think tank Institute for Critical Infrastructure Technology, the greatest failure behind the OPM breach was lack of a comprehensive governing policy for cybersecurity at the agency, which would have proactively controlled system access and mandated regular patches and upgrades. The breach reportedly impacted at least 22.5 million former, current and prospective U.S. employees.

"The single most significant recommendation that agencies like OPM could heed is to actually listen to the advice of the inspector general and do everything within their power to meet or exceed regulatory measures," the report stated.

The OPM breach was not a complicated attack, according to the report. The agency's vulnerabilities stemmed from its storing of the majority of its data on outmoded systems, and its failure to implement multifactor authentication on any of its systems, which would have helped thwart access to sensitive data.

"The failure of (the Homeland Security Department) or OPM systems to detect the breach does not indicate a level of sophistication on behalf of the adversary; rather, it only shows that the breach was sophisticated for 1970s legacy systems that operate on COBOL mainframe applications that have not been updated since the Y2K bug," the brief stated.

The think tank recommended the replacement of antiquated cyber defense systems, such as firewalls and antivirus programs, and the adoption of more innovative programs that can adapt and respond to specific situations.

Advanced, unrelenting threats are often designed to modify sophisticated intrusions, catering them to specific victims or organizations.

"Novel malware can bypass detection, avoid run-time analysis and prevent post-incident traces in a number of ways undetectable to current defense-in-depth norms," the report stated. "It is as effective as trying to stop a laser pointer with a chain link fence."

The brief also recommended the implementation of a behavioral analytics system, which creates a baseline profile of a user and detects and reports abnormal activities.

"Training remains the easiest and best strategy to mitigate adverse effects of the OPM breach such as insider threats, spear phishing emails, social engineering or future breaches," the report stated.

The U.S. Office of the Inspector General also issued a report, "Postal Service Cybersecurity Functions," on a November 2014 cyber-intrusion.

In November, the USPS announced a cyberattack compromised the personal information of more than 800,000 current and former employees, compensation records from 485,000 individuals and customer inquiries from about 2.9 million customers, according to the report.

According to the Inspector General, the USPS had under-trained employees, outdated technology and ineffective collaboration among cybersecurity teams.

The USPS was also using outdated systems no longer supported by the vendor, and therefore did not have security patches for vulnerabilities. The outdated systems included just 16 of 31 software versions and nine operating systems across 39 servers, the report said.

Since the 2014 breach, the USPS has been elevating cybersecurity, the OIG acknowledged. But its recommendations to the Postal Service included providing more funding for "proactive prevention, detection, response and mitigation of sophisticated cyber threats."

In a response included in the report, USPS' acting chief information officer and executive vice president Randy Miskanic said the agency generally agrees with the broad intent of most of the recommendations in the report, but believes the cyber-threats it faces warrant more flexible and active management processes and modes of response than those identified by the OIG.

NOT FOR REPRINT

© 2025 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.

Roy Urrico

Roy W. Urrico specializes in articles about financial technology and services for Credit Union Times, as well as ghostwriting, copywriting, and case studies. Also: writer/editor of a semi-annual newsletter for Association for Financial Technology since 1997 and history projects funded by the U.S Interior Department, National Park Service and Warren County (N.Y.).